California CPPA Issues Notice of Proposed Rulemaking

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California CPPA Issues Notice of Proposed Rulemaking.

After over a year of informal information gathering and revisions, the California Privacy Protection Agency (CPPA) moved its draft regulations regarding CCPA updates, cybersecurity audits, risk assessments, automated decision-making technology and insurance requirements to a formal rulemaking process, with a written comment period running through January 14, 2025 and a public hearing January 14. 

TAKEAWAY

If adopted, some notable new requirements would include:

(a) mandatory display of whether a business has processed a consumer’s opt-out preference signal (it is currently optional);

(b) mandatory inclusion of a link to a privacy policy within the application’s settings menu (this is currently optional);

(c) for businesses using automated decision-making technology (ADMT), inclusion of a Pre-Use Notice containing a link to opt out of such technology and extension of a right to access certain information about the ADMT;

(d) for businesses that sell or share personal information collected through a connected device or augmented or virtual reality, provision of an opt out notice before the connected device begins collecting information and before the consumer enters the augmented or virtual reality environment;

(e) implementation of measures to ensure that information remains deleted, deidentified or aggregated after a deletion requires (with a note that failing to consider how deleted information may be re-collected by businesses that regularly receive information from data brokers factors into the decision of whether the business has adequately complied);

(f) compliance with a “Do Not Sell or Share” request immediately where feasibly possible, such as in the case of programmatic advertising that instantaneously sells or shares personal information of consumers visiting a website; and

(g) completion of cybersecurity audits and risks assessments by businesses whose processing of consumers’ personal information presents significant risk to consumers’ security or privacy, respectively, each as determined by specific thresholds and criteria set forth in the regulations (including, for a risk assessment, any sale or sharing of personal information). 

California Judge Moves VPPA Case to Arbitration Based on Terms of Use

A class action lawsuit alleging violation of the Video Privacy Protection Act by NFHS Network based on its sharing of consumer video viewing habits with Meta and other third parties has been ordered to arbitration.

The judge found that NFHS met its burden of showing that it provided “reasonably conspicuous notice” of its Terms of Use containing an arbitration clause as well as evidence that the plaintiff, when signing up for a free account, clicked a box stating “I Accept the Terms and Conditions” with a hyperlink to the terms.

TAKEAWAY

As class action privacy lawsuits become increasingly prevalent, this case demonstrates the importance of not only providing clear terms and consent processes (whether for consent to an arbitration clause or to the data processing activity itself) but also maintaining the ability to document and demonstrate historical terms and consent processes over time.     

To learn more about how Sourcepoint helps mitigate litigation risk under VPPA, watch our webinar on-demand.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.